What does GDPR mean for agency contracts?

In our GDPR Q&A series we get answers from experts to your burning questions about data regulations and compliance.

We are less than a year away from GDPR being enforced. Amid the Brexit talks, it is easy to assume that this EU regulation won’t affect businesses in the UK, but you would be wrong to think so.

Anyone who intends to do business with a customer within the EU needs to ensure they comply or risk the monumental fines (up to 4% of global turnover). For both agencies and brands, these are significant fines in a sector where operating internationally is the norm. Yet a new report by Irwin Mitchell/YouGov shows that just 30% of UK businesses are preparing for GDPR’s arrival. Changes to the EU-US Privacy Shield agreement are also due to be confirmed later in the year, threatening to further complicate the situation.

GDPR means that consumers’ data can only be shared and used by businesses when they have directly given consent. For this to take place, the value exchange needs to be made clear, and this will be a big challenge for the digital world. As with changes to cookies, it will mean some intrusive pop-ups appearing on screens to ensure companies comply with the regulations. This gives an opportunity to be explicit with consumers about the benefits of sharing their data.

Under the new guidelines, IP addresses may well be classed as personally identifiable information, despite the fact it is always proven difficult to identify individuals based on this information alone. This change is likely to affect many advertisers and businesses who routinely store and use this information as part of their web analytics or attribution systems.

For agencies, these changes likely mean brands will be more forthright in asking that GDPR is being adhered to, as this may affect their ability to be able to deliver contextually relevant advertising using personal data. Expect this to form a new subsection of any contracts being mooted. At Forward3D, we are seeing growing interest from marketers in their approach to contracts, including clarification on where data is held and who is in charge of it. Where data has been purchased, you need to be able to prove where it came from. GDPR even requires many businesses to assign a data protection officer, especially if they are dealing with sensitive data, personal information or a large volume of data.

Brands should be asking their agencies how they are preparing for GDPR, what consent is being granted, and manage potential data breaches. A greater awareness of what data you hold and why may lead to companies cleaning out the Augean stables of outdated, stale data and entering into a new paradigm of data consumers are happy to share, understanding the relationship they can have with companies they like and trust. The best agencies have been treating consumer data with care and sensitivity for a while, but GDPR should finally tame the Wild West of the early internet age.

It will change your business. It is coming. You must be prepared. Yet like a lot of substantial changes in business, there are big opportunities here for everyone involved. Those who get it right will get ahead. Those who don’t take it seriously until it’s too late could suffer huge consequences. Make it part of your agency-client dialogue as soon as possible.

Tom Manning is head of strategy at Forward3D

Wondering how, or even if, you need to worry about GDPR compliance? Watch out for our series of GDPR Q&A pieces. Got a burning question you'd like answered? Send it to emily.tan@haymarket.com